Fortinet FortiNac BFN620 Installation Manual
  1. Manuals
  2. Brands
  3. Fortinet Manuals
  4. Server
  5. FortiNac BFN620
  6. Installation manual
Fortinet FortiNac BFN620 Installation Manual

Fortinet FortiNac BFN620 Installation Manual

Hide thumbs
Table of Contents

Advertisement

Quick Links

Appliance Installation Guide
Version: 8.3
Date: 8/24/2018

Advertisement

Table of Contents
loading

Related Manuals for Fortinet FortiNac BFN620

Summary of Contents for Fortinet FortiNac BFN620

  • Page 1 Appliance Installation Guide Version: 8.3 Date: 8/24/2018...
  • Page 2 FORTINET DOCUMENT LIBRARY https://docs.fortinet.com FORTINET VIDEO GUIDE https://video.fortinet.com FORTINET KNOWLEDGE BASE http://kb.fortinet.com FORTINET BLOG https://blog.fortinet.com CUSTOMER SERVICE & SUPPORT https://support.fortinet.com http://cookbook.fortinet.com/how-to-work-with-fortinet-support/ FORTINET COOKBOOK http://cookbook.fortinet.com FORTINET TRAINING AND CERTIFICATION PROGRAM https://www.fortinet.com/support-and-training/training.html NSE INSTITUTE https://training.fortinet.com/ FORTIGUARD CENTER https://fortiguard.com FORTICAST http://forticast.fortinet.com END USER LICENSE AGREEMENT https://www.fortinet.com/doc/legal/EULA.pdf Friday, August 24, 2018 FortiNAC Appliance Installation Guide 49-830-503677-20180731...

  • Page 3: Table Of Contents

    Contents Naming Conventions Ethernet Connections Process Overview Hardware Setup Connect To The Appliance Login To Configuration Wizard - Hardware Setup Verify License Key Assign IP Address Configuration Wizard - Passwords Connect To The Network Software Configuration Login To Configuration Wizard - Software Password Setup Network Type Layer 2 Network - VLANs...

  • Page 4: Naming Conventions

    Naming Conventions Before you begin the installation, you need to determine the Product Descriptor for the product you are configuring. • Refer to the page in the information packet that Appliance Identification Details came with your appliance. Locate your Appliance Identifier. •...
  • Page 5 Table 2: Naming Conventions for Appliance BFN330 Appliance Product Name Product Descriptor Appliance Identifier Label NS500CA Network Control NS500CA FortiNac Server SYS-BFN330-NS500CA and Application Server Table 3: Naming Conventions For Appliance BFN620 Appliance Product Name Product Descriptor Appliance Identifier Label NS2200 Network Control NS2200 FortiNac...

  • Page 6: Ethernet Connections

    Table 6: Naming Conventions for Appliance BFN630XL Appliance Product Name Product Descriptor Appliance Identifier Label NS700CA Ultra High NS700CA FortiNac Server SYS-BFN630XL-NS700CA Performance Control and Application Server NS2000C Ultra High NS2000CA FortiNac SYS-BFN630XL-NS2000C Performance Control Server Control Server NS2000A Ultra High FortiNac Application Performance Application NS2000CA...

  • Page 8: Process Overview

    Process Overview The following is a summary of the steps you will use to configure your appliance. Important: The FortiNac appliance set (physical or virtual) are intended forFortinet software, tools and services use only.Fortinetc does not confirm for use any other software, tools or services.

  • Page 9: Hardware Setup

    Hardware Setup Hardware Setup Unpack and power up the appliance(s) as described in the Hardware Setup Guide included with the appliance. For some appliances, the power supply fan goes on when the appliance is first plugged in. Note: On some appliances the power switch is located behind the bezel on the front of the machine.

  • Page 10: Login To Configuration Wizard - Hardware Setup

    Hardware Setup Figure 2: Appliance BFN620 and BFN620XL Figure 3: Appliance BFN330 Figure 4: Appliance BFN630 and BFN630XL Login To Configuration Wizard - Hardware Setup If you have not done so already, bring up a web browser and navigate to: http://192.168.1.1:8080/configWizard Enter the credentials to gain access to the Configuration...
  • Page 11 Hardware Setup Note: You will be required to change the Configuration Wizard password during the setup process.

  • Page 12: Verify License Key

    Verify License Key Verify License Key Each appliance requires a unique License Key to run the application. The License Key contains the license count, license time, feature set, and high availability options. Note: When the License Key Validation window opens, if you do not see a license key, contact Customer Support or your sales representative to obtain it.

  • Page 13: Assign Ip Address

    Assign IP Address Assign IP Address The initial Basic Network screen displays the Product Descriptor and the type of system you are configuring. See Naming Conventions on page 1 Configure the FortiNac appliance and enter the values based on the definitions in Basic Network Window Field Definitions below WARNING: Do not use the following as the Host Name for the appliance: nac,...
  • Page 14 Assign IP Address Field Definition Subnet IPv4 mask for the appliance you are configuring. A subnet is a logical Mask grouping of connected network devices; the mask defines the boundaries of the subnet. Subnet IPv6 mask for the appliance you are configuring, in CIDR format (e.g., IPv6 Mask in CIDR notation 64).

  • Page 15: Configuration Wizard - Passwords

    Configuration Wizard - Passwords Figure 6: Basic Network - Assign IP Address Configuration Wizard - Passwords Password fields appear empty until you modify a password. Passwords can be modified again later by accessing the Change Passwords screen. See Change Passwords After Configuration on page 45 CLI/SSH and Configuration Wizard passwords must be eight characters or longer and contain a lowercase letter, an uppercase letter, a number, and one of the following symbols:...
  • Page 16 Configuration Wizard - Passwords Prohibited Symbols ' back quote : colon [ open square bracket & ampersand " double quote ] close square bracket + plus ' single quote , comma = equal < less than . period | pipe >...

  • Page 17: Connect To The Network

    Connect To The Network Connect To The Network Disconnect the PC from the eth1 port on the appliance. Connect eth0 of the appliance to the network. If you have a FortiNac Control Server and FortiNac Application Server pair, connect eth0 of each appliance to the network. Port eth0 is the management interface for the appliance.

  • Page 18: Software Configuration

    Software Configuration Software Configuration Now that your appliance has been assigned an IP address and is connected to the network, you are ready to configure your NTP, time zone, routes, and DHCP scopes associated with your Layer 2 or Layer 3 network. Use the following buttons and links to navigate through the Configuration Wizard.
  • Page 19 Software Configuration Figure 7: Download Documentation Window...

  • Page 20: Password Setup

    Password Setup Password Setup Figure 8: Change Passwords Figure 9: Configuration Wizard - Password Setup...
  • Page 21 Password Setup Table 10: Password Field Definitions Field Definition The CLI/SSH Password used to access the appliance (max. 64 characters). You are admin Password required to change this password. The CLI/SSH Password used by Customer Support to access the appliance (max. 64 root Password characters).
  • Page 22 Password Setup Close the window or tab. Click Next to continue.

  • Page 23: Network Type

    Network Type Network Type At this point you must indicate whether you are connecting to a Layer 2 or a Layer 3 network. Important: In a High Availability environment with an L3 configuration where redundant FortiNac servers are on different subnets and do not use a shared IP address, you must select the Layer 3 network option.

  • Page 24: Layer 2 Network - Vlans

    Layer 2 Network - VLANs Layer 2 Network - VLANs VLANs are the basic networking construct used to limit network access. When you implement network access control, include at least one non-production VLAN. In the Configuration Wizard this is the Isolation VLAN. If there is the need to separate clients based on state, such as known vs.

  • Page 25: Layer 2 Network - Configure Vlans

    Layer 2 Network - Configure VLANS Layer 2 Network - Configure VLANS The configuration views for the Isolation, Registration, Remediation, Dead End, VPN, Authentication and VLAN types are similar. The Access Point Management VLAN configuration view is slightly different in that it contains sections for both authorized and unauthorized clients. Samples of the Isolation and the Access Point Management views are shown below.
  • Page 26 Layer 2 Network - Configure VLANS Field Definition Identifies the domain for this range of IP addresses. To help identify the VLAN, incorporate part of the name in the domain. For example, for the isolation VLAN use megatech-iso.com or for the registration VLAN use megatech-reg.com. Note: Note: If you use agents for OS X, iOS, and some Linux systems, using a .local suffix in Domain fields may cause communications issues.
  • Page 27 Layer 2 Network - Configure VLANS Figure 11: Layer 2 Isolation Figure 12: Add Subnet...
  • Page 28 Layer 2 Network - Configure VLANS Table 13: Layer 2 Access Point Management Field Definitions Field Definition Access Point Management Interface eth1 IP address for the VLAN interface on eth1. This VLAN is used when more than one Interface IP MAC address is detected on a single port.
  • Page 29 Layer 2 Network - Configure VLANS Field Definition Mask Subnet mask. Lease Pool Starting and ending IP addresses that delineate the range of IP addresses available for Start unauthenticated users on this VLAN. Domain Identifies the domain for this range of IP addresses. To help identify the VLAN, incorporate part of the name in the domain.

  • Page 30: Layer 2 Network - Additional Routes

    Layer 2 Network - Additional Routes Figure 13: Layer 2 Access Point Management Layer 2 Network - Additional Routes If you want to configure additional routes within your Layer 2 network, see Layer 3 Network - Additional Routes on page 40 for steps. Configuration is the same for both network types. After you have configured additional routes, click Summary.

  • Page 31: Layer 3 Network - Route Scopes

    Layer 3 Network - Route Scopes Figure 14: Summary Of Layer 2 Network VLAN Configuration Layer 3 Network - Route Scopes If you are configuring the appliance in a routed environment, as opposed to a Layer 2 environment, use the Layer 3 selection on the Network Type window. See Network Type on page 20.
  • Page 32 Layer 3 Network - Route Scopes Note: The Configuration Wizard dynamically writes all files configured on the FortiNac Control Server to the FortiNac Application Server. No direct configuration of the FortiNac Application Server is required after the initial basic network setup is completed. Note: When setting up Layer 3 Network Configurations in the Configuration Wizard, labels of DHCP Scopes should not begin with any of these strings: "REG_", "REM_", "AUTH_", "DE_", "ISOL_", "VPN_", or "HUB_".

  • Page 33: Layer 3 Network - Configure Route Scopes

    Layer 3 Network - Configure Route Scopes Layer 3 Network - Configure Route Scopes The configuration views for the Isolation, Registration, Remediation, Dead End, VPN and Authentication scopes are similar. The Access Point Management scopes configuration view contains sections for both Production and Isolation clients. Sample Isolation and Access Point Management views are shown below.
  • Page 34 Layer 3 Network - Configure Route Scopes Field Definition This field is optional and does not need to be configured if the appliance and all of the managed devices are on the same subnet. If the appliance and any managed devices are on different subnets, enter the IP address of the routing device.
  • Page 35 Layer 3 Network - Configure Route Scopes Figure 15: Layer 3 Network Configuration - Isolation Scopes...
  • Page 36 Layer 3 Network - Configure Route Scopes Figure 16: Add/Modify Layer 3 Scopes And Lease Pools Figure 17: Layer 3 Scopes - Add Lease Pool IP Range Table 16: Layer 3 Access Point Management Field Definitions Field Definition Access Point Management Interface eth1 IP address for the VLAN interface on eth1.
  • Page 37 Layer 3 Network - Configure Route Scopes Field Definition Mask Subnet mask. Access Point Management Scopes User specified name for the scope. Can be associated with a location, such as Label Building-B, or a function within the organization, such as Accounting. Note: When setting up Layer 3 Network Configurations in the Configuration Wizard, labels of DHCP Scopes should not begin with any of these strings: "REG_", "REM_", "AUTH_", "DE_", "ISOL_", "VPN_", or "HUB_".
  • Page 38 Layer 3 Network - Configure Route Scopes Field Definition Time in seconds that an IP address in this domain is available for use. When this time Lease Time has elapsed the user is served a new IP address. The recommended lease time for Access Point Management/Production is 3600 seconds.
  • Page 39 Layer 3 Network - Configure Route Scopes Figure 18: Layer 3 Access Point Management...
  • Page 40 Layer 3 Network - Configure Route Scopes Figure 19: Layer 3 Add Access Point Management Scopes...

  • Page 41: Importing Route Scopes

    Layer 3 Network - Configure Route Scopes Importing Route Scopes To import route scopes from a csv file, use one of the following formats: Single Route Format ScopeLabel,Default Gateway,Mask,Domain,Lease Pool “start address-end address,start address-end address” Access Point Management Route Format ScopeLabel,Production Default Gateway,Production Mask,Production Domain,Production Lease Pool “start address- end address,start address-end address”,Isolation Default...
  • Page 42 Layer 3 Network - Configure Route Scopes Figure 20: Layer 3 Routes - Import Route Scopes Window...

  • Page 43: Layer 3 Network - Additional Routes

    Layer 3 Network - Additional Routes Layer 3 Network - Additional Routes When a client connects on eth1 from a remote network, the return packet uses the eth0 Default Gateway unless a network route is added. It is recommended that you configure your network so that outbound and inbound routing uses the same interface, such as eth1.
  • Page 44 Layer 3 Network - Additional Routes Figure 21: Additional Routes Window Figure 22: Add Route Window...

  • Page 45: Results: Layer 2/Layer3 Networks Or Control Manager

    Results: Layer 2/Layer3 Networks Or Control Manager Results: Layer 2/Layer3 Networks Or Control Manager Review the Results. Errors are noted at the top of the Results page. Scroll down through the results and note errors or warnings. Make changes and apply them until a successful configuration is written.
  • Page 46 Results: Layer 2/Layer3 Networks Or Control Manager Figure 23: Results Window...

  • Page 47: Log In To The Admin User Interface

    Log In To The Admin User Interface Log In To The Admin User Interface Note: The User Name and Password for the Admin User Interface are root/YAMS. These credentials are not changed in the Configuration Wizard. You will be prompted to change your credentials when you log in the first time.

  • Page 48: Change Passwords After Configuration

    Change Passwords After Configuration Change Passwords After Configuration Configuration files are overwritten whenever you run the Configuration Wizard. It is strongly recommended, therefore, that you do not make changes outside of the Configuration Wizard. Making all changes from within the Configuration Wizard prevents you from having custom configuration files that can be accidentally overwritten.
  • Page 49 Change Passwords After Configuration...
  • Page 50 Copyright© 2018 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners.

This manual is also suitable for:

Fortinac bfn330Fortinac bfn320Fortinac bfn630xlFortinac bfn620xl

Table of Contents